On 8 March 2023, the UK Government’s Department for Science, Innovation and Technology introduced the new Data Protection and Digital Information (No.2) Bill (the “DPDI”) to the UK Parliament.
What is the DPDI?
The DPDI seeks to reform the UK’s existing data protection regime (including the UK GDPR, Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003). Importantly, the DPDI will not replace these laws, but instead, it will amend and supplement the existing text in certain key areas.
What are the key areas of reform under the new DPDI?
The overarching objective behind the UK government’s data protection reform is to transition away from the EU’s “one size fits all” approach under the EU GDPR towards a more flexible, business friendly approach to data protection compliance (without sacrificing the protection afforded to individual data subjects).
In its announcement, the UK Government emphasised its ambition to unlock innovation, new technologies and business opportunities and to release businesses from “unnecessary red tape”. Below we have outlined some of the key proposed practical changes which are intended to give organisations greater flexibility when approaching privacy compliance.
- Definition of personal data: the DPDI proposes a “reasonableness” threshold when determining whether information directly or indirectly relates to an individual. Meaning that whether information that is deemed “personal data” will be determined on whether the individual is identifiable by reasonable means at the time of processing; or whether the organisation ought to reasonably know that another person could identify that individual by reasonable means at the time of processing.
- Legitimate interests: the DPDI seeks to provide further clarification around processing situations which would be deemed necessary for an organisation’s legitimate interests. It now includes some practical examples which are more common in businesses, for example, processing that is necessary for (a) direct marketing, (b) intra-group transmission of personal data for internal administrative purposes and (c) for ensuring security of networks and systems.
- Purpose limitation: the DPDI sets out several instances where organisations may conduct further processing of personal data that it has already collected so as to encourage innovation. The examples include scientific or historical research, archiving in the public interest and statistical purposes.
- Definition of research: the DPDI provides clarity over the circumstances in which processing will be considered “research” and shall include (i) scientific research, whether carried out as a commercial or non-commercial activity, (ii) processing for technological development or (iii) a study on public health.
- Data subject requests: organisations will be able to refuse data subject requests in instances where the controller deems them to be “vexatious or excessive.”
- Record of processing activities: the DPDI proposes that a ROPA will only be required in instances where the controller carries out high-risk processing.
- Data protection impact assessment: will be replaced with an “assessment of high-risk processing” and will only be required in instances of high-risk processing.
What happens next?
In the next few weeks, the DPDI will progress to the second reading stage in the UK Parliament. It will be examined in further detail by Parliament and relevant subject experts and may undergo further changes.